Botnets
Abhishek Debchoudhury
Jason Holmes
What is a botnet?
A network of computers running software that
runs autonomously.
In a security context we are interested in botnets
in which the computers have been compromised
and are under the control of a malicious
adversary.
What are botnets used for?
• Spam
o ~85% of email is spam
• DDoS attacks
• Identity theft
o Cost in 2006: $15.6 billion
• Phishing attacks
o 4500 active sites at any given time, 1 million
previously active sites
What are botnets used for?
• Hosting pirated software
• Hosting and distributing malware
• Click fraud
o ~14% of all advertisement clicks are fraudulent
• Packet sniffing
What's a botmaster?
• Person(s) controlling the botnet
o Business person
 Often paid by customers
 Willing to rent out botnet
o Glory Hound
 Brags about size of botnet
 Willing to talk to researchers
o Script kiddies
 Inexperienced
Command Topologies
• Star
o Bots tied to centralized C&C server.
• Multi-Server
o Same as star but with multiple C&C servers
• Hierarchical
o Parent bot control child bots
• Random
o Full P2P support
Topology Tradeoffs
Control vs. Survivability
• More Control
o
Easier to get botnet to do your bidding
o
Easier to shut down
• Survivability
o
Harder to shut down
o
Less control
Communication Methods
• HTTP
o Easy for attacker to blend in
• IRC
o Harder to hide since IRC is much less used than
HTTP
• Custom
o Makes use of new application protocols
Propagation Methods
• Scanning
o 0-day attacks
o Worm-like behavior
• Infected e-mail attachments
• Drive-by-downloads
• Trojan horses
Infection Procedure
History and Notable Botnets
• 1999 - Sub7
• 2000 - GTbot a bot based on mIRC
• 2002 - SDbot small c++ binary with widely available source
code
• 2002 - Agobot staged attacked with modular payload
• 2003 - Sinit first peer-to-peer botnet
• 2004 - Bagle and Bobax first spamming botnets
• 2007 - Storm botnet
• 2009 - Waledac botnet
• 2009 - Zeus botnet
Defense
Three main issues:
1. How to find them
2. Decide how to fight them (defense vs offense)
3. How to negate the threat
Detection: Analyze Network Traffic
• Temporal
o Same repeated traffic pattern from node
• Spatial
o Nodes in same subnet likely infected
Detection: Packet Analysis
• Using statistical analysis on network traffic
flows
• Classify packets based on payload signature
and destination port
o Looking for clusters of similar data packets
o n-gram byte distribution
• IRC botnet traffic it is not very diverse
compared to traffic generated by humans
Strategy
Active: attack the source
• Shut down C&C server
• Re-route DNS
• Pushback
Passive: defend at the target
• Filters
• Human attestation
• Collective defense
Defense - Change DNS routing
Defender figures out domain that attacker is using and takes
control
Pros:
• Central point of attack
• Severs botmaster's ability to communicate with the botnet
Cons:
• Not all bot nets have C&C server
• C&C domain changes often
o > 97% turn over per week
Defense -Black Lists
Defender creates list of attackers.
Used primarily as spam fighting technique
Pros:
• Allows for broad knowledge sharing
• Easy to maintain/understand
Cons:
• List has to be continually updated
• Innocent service providers get blocked
Defense -Human Attestation
Defender requests that client prove his humanity.
• Requires the client to have a trusted attester
o Accomplished through the use of a Trusted
Platform Module
• Several methods for an attester to determine that
the actions were initiated by a human
o Through the use of secure input devices which
cryptographically sign their output
o CAPTCHA or secure prompt
o Analyze keystrokes and mouse movement
Defense - Collective defense
We must all hang together or assuredly we shall all hang
separately.
-- Benjamin Franklin
• Key contentions
o Most end users don't know/care about security
o The best way to secure the internet is through a
collective effort without relying on end users
o Compromised hardware must be quarantined until
healthy
• Authenticate healthiness before network access
o Public Health Model for Internet
• Allow everyone but identify suspicious behavior
o Japan's Cyber Clean Center
o Finnish national Computer Emergency Response Team
Thanks